Clown
Clown is a ransomware that runs on Microsoft Windows. It was discovered by GrujaRS. It is part of the DMR64 family. It is aimed at English-speaking users. Payload Transmission Clown is distributed through trojans, spam campaigns, illegal activation tools ("cracks"), illegitimate updaters and untrustworthy download channels. Infection As Clown encrypts, affected files are renamed completely, according to this pattern - the cyber criminals' email address, unique ID and "Firefox.lnk.clown+". For example, a file originally tiled "1.jpg" would appear as something like "SupportClown@elude.inid=1E857D00Firefox.lnk.clown+" following encryption. After this process, an HTML application - "!!! READ THIS !!!.hta" and a text file "HOW TO RECOVER ENCRYPTED FILES.txt" are dropped onto the victim's desktop. The files created on the desktop are practically identical ransom notes. They inform users that all of their data has been encrypted. To restore it - users are to establish contact with Clown's developers, via the email address provided. The victims' letters must have their ID in the title/subject field (said code can be found in "!!! READ THIS !!!.hta", "HOW TO RECOVER ENCRYPTED FILES.txt" and in the altered filenames). Recovery requires decryption software and keys, which can be purchased from the cyber criminals behind this ransomware. Users are alerted that they should not delay contacting the developers, as their decryption keys will only be stored for a week. Hence, decryption will no longer be possible following this period, additionally the speed with which victims respond will dictate the ransom size. The payment will have to be made in Bitcoin cryptocurrency, both notes contain links detailing how to and from where to obtain this digital currency. Before paying, users can send one encrypted file to test decryption. It will be restored to its original state as guarantee that recovery is possible, if the file is no larger than 1Mb (non-archived) and contain no valuable information (database, backup, large excel sheet, etc.). Users are warned that renaming the encrypted files and/or attempting to decrypt them with third party software - can lead to permanent data loss. Text presented in Clown's HTML application ("!!! READ THIS !!!.hta"): All your files have been encrypted! Your documents, photos, databases and other important files have been encrypted with strongest encryption. you can return all your files if you want to restore files, write us to the e-mail: SupportClown@elude.in Write this ID in the subject e-mail:1E857D00 It is in your interest to respond as soon as possible to ensure the restoration of your files, because we wont keep your decryption keys at our server more than one week. The price depends on how fast you write to us. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins You can buy bitcoin from here: hxxps:localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: hxxp:www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Using another tools could corrupt your files, in case of using third party software we don't give guarantees that full recovery is possible so use it on your own risk. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan